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(57) ABSTRACT 

Protocols and architecture for secure virtual private net- 
works. Intraenterprise data communications are supported in 
a secure manner over the Internet or other pubhc network 
space with the implementation of secure virtual private 
networks. Members of a virtual private network group 
exchange data that may be compressed, encrypted and 
authenticated, if the exchange is between members of the 
group. 
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FIG. 1 (Prior Art) 
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ARCHITECTURE FOR VIRTUAL PRIVATE between members of the enterprise. For example, two 

NETWORKS remote sites within the enterprise may each connect to the 

X. . «^ ..r,,T-vt^«^, Internet through a local Internet Service Provider (ISP). This 

BACKGROUND OF TI IE I^A^:NnON ^.^^les the various members of the enterprise to commuoi- 

1. Related Information 5 cate with other sites on the Internet including those within 
The present invention is related to the one described in their own organization. The limiting disadvantage of using 

copending U.S. Patent Application entitled "An Apparatus the Internet for intra-enterprise communications is that the 

for Implementing Virtual Private Networks," U.S. Ser. No. Internet is a public network space. The route by which data 

08/874,091, assigned to the assignee of the present apphca- communication travel from point to point can vary on a per 
tion and filed concurrently herewith. lO packet basis, and is essentially indeterminate. Further, the 

2. Field of the Invention ^^^^ protocols for transmitting information over the various 
ITie present invention relates to the field of data commu- networks of the Internet are widely known, and leave 

nicalions. More particularly, the present invention relates to electronic communications susceptible to interception and 

techniques for implementing secure virnial private networks eavesdropping with packets being replicated at most mter- 

over public or otherwise insecure data communications mediate hops. An even greater concern arises when it is 

infrastructures realized that communications can be modified m transit or 

3 Back round ^^^^ initiated by impostors. With these disconcerting risks, 

/ ^ . . ^ . L M most enterprises are unwilling to subject their proprietary 

In recent years oigamzations have come to rely heavily on confidential internal communications to the exposure of 

the ability to transmit electronic data between members of ^^^^ ^Uc network space. For many organizations it is 

the organization. Such data lypicaUy mcludes electronic ^^ t,^^^ j^,^^^, .^^^ ^^ 

mail and file sharing or file transfer, n a centrahzed, smgle ^^^^ ^j, ^u. also to maintain the existing dedicated com- 

site organization these transfers of electronic data are m^t ^^^^ations paths for internal enterprise communications, 

commonly facilitated by a local area network (LAN) „f ^^j^^^^^j disadvantages described above, 

installed and operated by the particular enterprise. • • . . 

„ • J * J * * While various encryption and other protection mecha- 

Preventmg unauthorized access to data traversing an •„ „ u„ j j f ^ ♦ • *• 

• . 7 AKT • 1.1 * • u.f J Ti.- 1- nisms have been developed for data communications, none 

enterprise s LAN is relatively straightforward. This applies *l jc 

, , V • ■, u t. c t. • completely and adequately addresses the concerns raised for 

to both unauthonzed accesses by members of the enterprise i, . . • . . i i u,- . , 

, . ^ ^- . -J A allowmg an enterpnse to truly rely on the public network 

and, more importantly, to third parties on the outside. As . , . • i * • i. 

, ■ if- 1 • - J space for secure mtra -enterpnse data communications. It 

long as mtelligenl network management is maintained, i j u j • ui j • .u f u- » f*u 

* , . , * , * . . » -'^ would be desirable, and is therefore an obiect of the present 

unauthorized accesses to data traversing aii entcqprise s -^^^^^^^^ mechanisms which would allow 

mternal LAN are relatively easily avoided. It is when the *u j- * -u * j * • * i i i .u li- ^ ^ 

. , . , the distributed enterpnse to rely solely on the public network 

enterpnse spans multiple sites that secunty threats from the r • , « L • • *• -.u * 

.K . ^ y ^ space for mtra-enterprise communications without concern 

outside become a maior concern. / * * i . *i 

. . •* . . - for secunty nsks that presently exist. 

For distnbuted enterpnses that desire the conveniences of 35 
the above-described electronic data transfers, there are sev- SUMMARY OF THE INVENTION 
eral options that exist today, but each with associated From the foregoing it can be seen that it would be 
disadvantages. The first option is to interconnect the offices desirable and advantageous to develop protocols and archi- 
or various sites with dedicated, or private communications tccture to allow a single organization or enterprise to rely on 
connections often referred to as leased lines, lliis is the 40 the public network space for secure intraorganizational 
traditional method organizations use to implement a wide electronic data communications. The present invention is 
area network (WAN). The disadvantages of implementing thus directed toward the protocols and architecture for 
an enterprise owned and controlled WAN are obvious: they implementing secure virtual private networks over the Inter- 
are expensive, cumbersome and frequently underutilized if net or other public network systems. The architecture of the 
they are established to handle the peak capacity require- 45 present invention introduces a site protector or virtual pri- 
ments of the enterprise. The obvious advantage to this vate network (VPN) unit which moderates data communi- 
approach is that the lines are dedicated for use by the cations between members of a defined VPN group. In 
enterprise and are therefore secure, or reasonably secure, accordance with one embodiment of the present invention, 
from eavesdropping or tampering by intermediate third the site protector resides on the WAN side of the site *s router 
parties. • 50 or routing apparatus which is used to connect the enterprise 

An alternative to the use of dedicated communications site to the Internet. In alternative embodiments, the site 

lines in a wide area network is for an enterprise to handle protector will reside on the LAN side of the router. The 

intersite data distributions over the emerging public network essential point for all embodiments is that the site protector 

space. Over recent years, the Internet has transitioned from be in the path of all relevant data traffic, 
being primarily a tool for scientists and academics to a 55 To ensure secure data communications between members 

mechanism for global communications with broad ranging of the same VPN group, the site protector or VPN unit 

business implications. The Internet provides electronic com- implements a combination of techniques for data packet 

munications paths between millions of computers by inter- handling when packets are to be sent between members of 

connecting the various networks upon which those comput- the group. The packet handling processes include various 
ers reside. It has become commonplace, even routine, for eo combinations of compression, encryption and 

enterprises, even those in nontechnical fields, to provide authentication, the rules for each of which may vary for 

Internet access to at least some portion of the computers members of dififerent groups. For each group defined as a 

within the-enterprise. For many businesses this faciliutes virtual private network, the various parameters defining the 

communications with customers, potential business partners compression, encryption and authentication are maintained 
as well as the distributed members of the organization. 65 in lookup tables in the associated VPN units. 'Ilie lookup 

Distributed enterprises have found that the Internet is a tables maintain information not only for fixed address mem- 

convenient tool to provide electronic communications bers of the group but support is also provided for remote 
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clients. This ability allows remote users to dial into a local instances, well-known control structures and system corn- 
Internet Service Provider and still maintain membership in ponenls have not been shown in detail in order not to 
a virtual private network group for secure communications obscure the present invention. 

over the Internet with other members of the group. In the In many instances, components implemented by the 

case of a remote client, the site protector may, in one 5 present invention are described at an architectural, func- 

embodiment, be simulated by software running on the tional level. Many of the elements may be configured using 

remote client. well-known structures, particularly those designated as 

In other aspects of the present invention, the VPN units or ^^i^jf ^^^^"^ compression or encryption techniques 

site protectors may be dynamically configured to add or Additionally, for logic to be mcluded within the system of 

subtract members from the virtual private network group or 10 the present invention, functionality and flow diagrams are 

recognize their movement, or change other parameters described m such a manner that those of ordmary skiU m th^ 

affecting the group. Various other packet handling aspects of ^^^^ ^° implement the particular methods without 

the invention include addressing the problem of some data experimentation. It should also be understood that the 

packets growing too large by the inclusion of encryption and . techniques of the present invention may be implemented 

authentication information. Another packet handling aspect 15 using a variety of technologies. For example, the virtual 

provides a mechanism for Internet communications which P"^^^^ ^^^^ ^'^^ P^^^^^^^^ described further 

hides information identifying the source and destination of ^^^^^^ °^^y implemented m software running on a com- 

the data packet. In this aspect of the present invention, the P^^^^ ^^^^^"^^ implemented m hardware utilizing either a 

VPN units are treated as the source and destination for the combination of microprocessors or other specially designed 

Internet communication data packets with the VPN units 20 apphcation specific mtegrated circuits, programmable logic 

encapsulating the source and destination addresses of the ^^^^f,^' combinations thereof. It will be under- 

endstations. skilled in the art that the present invention is 

not limited to any one particular implementation technique 

BRIEF DESCRIPTION OF THE DRAWINGS those of ordinary skill in the art, once the functionality 

25 to be carried out by such components is described, will be 

^rhe objects, features and advantages of the present inven- able to implement the invention with various technologies 

tion will be apparent from the following detailed without undue experimentation. 

description, in which: Referring now to FIG. 1 there is shown a traditional 

FIG. 1 illustrates a prior art configuration for an exem- scenario for intra -enterprise data communications for a 

plary enterprise's intraenterprise communication architec- 30 distributed organization. In this illustration of an exemplary 

ture. organization configuration, the enterprise consists of a head- 

FIG. 2 illustrates an enterprise communication scenario in quarters location 105 with additional sites or branches 110 

accordance with the-present invention utilizing the Internet and 112, respectively. In modern organizations, such as the 

or other public network space as the vehicle for conveying exemplary one of FIG. 1, the headquarters' site 105 as well 

messages between members of a virtual private network. 35 as the branch sites 110 and 112 may each comprise numer- 

FIG. 3 illustrates a flow diagram for the handUng of a personnel, many of whom are provided with computers 

packet being transmitted from one member of a virtual ^^^k stations with network access. The internal network 

private network group to another member over the Internet. configurations at the headquarters for branches may take 

FIG. 4 illustrates the-handling of a data packet received "^'^ """"''^ ^u"^ area networks 

overthelnternetbyonememberofavirtualprivatenetwork LANs). For intei^ite oommunications between headquar- 

f,™ ^r.^i^.L r^^r^u^. thc branches, dedicated or leased communications 

group rrom another member. , . - . j , 1 1. • 

hnes 115 and 120 may be provided. In addition, an optional 

HG. 5 illustrates graphicaUy the life cycle of a data packet dedicated communications path 125 may be provided 

being sent from one member of a virtual private network between the branches 110 and 112. As an alternative to the 

group to another over the Internet. ^^^-^^^^ dedicated communications line 125 between the 

FIG. 6 illustrates an alternate life cycle of a data packet branches, data packets between branch 110 and branch 112 

being sent from one member of a virtual private network may be routed through the headquarters* network equip- 

group to another over the Internet where the source and ment. 

destination addresses of the group members are also con- in addition to the dedicated communications lines 

sealed. 50 between the headquarters and the various branches, it is 

DETAILED DESCRIPTION OF THE ^"'^^^ '° fT*''^ computer users within an orga- 

INVENTION nization access to the Internet for electronic mail to external 

parties as well as for doing various types of research over the 

Protocols and an architecture are disclosed for implement- Internet using such tools as the World Wide Web, etc. As 

ing secure virtual private networks for enterprise commu- 55 shown in FIG. 1, the usual scenario where the headquarters* 

nications over the Internet or other public network space. site 105 and the branches 110 and 112 are each separately 

Although the present invention is described predominantly provided with direct access to Internet Service Providers 

in terms of utilizing thc Internet as a communications 130, 133 and 136, respectively. This facilities the users at the 

medium, the concepts and methods are broad enough to various sites with their access to the Internet for the above 

accomplish the implementation of secure virtual private 60 purposes. In an alternate configuration, it may be that only 

networks over other public or insecure communications the headquarters site 105 is provided with access to an 

media. Throughout this detailed description, numerous spe- Internet service provider 130 and that users of the computers 

cific details are set forth such as particular encryption or key of the branch sites 110 and 112 will connect to the Internet 

management protocols, in order to provide a thorough through headquarters via their dedicated communications 

understanding of the present invention. To one skilled in the 65 paths 115 and 120. 'Vho downside to this alternate configu- 

art, however, it will be understood that the present invention ration is that it greatly increases the bandwidth utilization on 

may be practiced without such specific details. In other the dedicated lines, perhaps to the point of saturation. An 
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advantage is that only one gateway to the Internet need be the source and destination sites for the packets. The mecha- 

provided for the organization which simplifies enforcing nisms for data packet transfers over the Internet are well 

security cotistraints on connections to the outside world. known and are not described in great detail herein. It is 

In the exemplary organization 100, it is also shown that in undeKtood that data packets are assembled in accordance 
some circumstances it may be desirable to allow customers 5 w'h the Internet Protocol (IP) and are referred to herem as 
or other business partners to dial in directly to the computer P''*=^f'^. f^g^dless of the version of the-Intemet protoco 

, f.. . ^. J rrtr- i%* 11 * . J .u . ,u presently m euect. In the case of the remote clients 150 and 

network or the organization. In FIG. 1 It IS illustrated that the \ee n \ . j ■ t-t^ • • j j * . i- 

i^A • r * . u • *' 155 illustrated in FIG. 2 it is understood that they utilize 

customer 140 may in fact carry out such communications - ... ii, 

• *• *u i^fi u- u L J J- * J communication software to dial up a local Internet service 
over a communications path 145 which may be a dedicated -j l- u ■ ir j ^ c 

line provided between the customer and the organization for lO provider which itself provides the gateways necessary for 

the customer's convenience. The path 145 may also be a communications over the Internet 250. 

dial-up Une which the customer might use only sporadically. , ^^'^^ ^"'^ descnbed above, prior efforts to utilize the 
Consistent with the emerging use of the Internet and its commumcations have required an 

popularity, the customer 140 is shown having its own awareness or implementation of security considerations at 
Internet connection through ISP 148. is >be endstaUons. This is disadvantageous when transparency 

. . _„ . . . . r , <o an end user is desirable. The present invention, on the 

Fina ly there is shown in RG. 1 that it b frequently ^.^er hand is transparent to end users with data commuoi- 
desirable for other membejs of the enterprise who may be on ,^6 Internet occurring exactly as they appear to 

the road or workmg from home or other remote locations to ^^^^ ^^^^^ ^^^^^^ y^^^j^^^ ^ ^^^j,^^ 

exchange data with other members of the enterprise. There „.vt,.«i „,.\,„t^ a^*^ 

°, ^ ^- , -.^^ . . 20 same virtual private network, data communications are 

IS thus shown remote chents 150 and 155 commumcating ^^^^^^^ ^ ^ ^^^^^^ ^^^^ ^^^^^^ ^^^^^ .^^^^ 

with the headquarters over long distance telephone Imes 157 ^^^^ ^^^^^^ Illustrated in FIG. 2, between the Internet 

and 158. Tliis example assumes that the remote chents are in 250 and each of the respective routers 240, 242, 244 and 

a truly remote location from the headquarters. The remote 246, are Virtual Private Network Units (VPNUs) 250, 252, 

clients 150 and 155 are also respectively shown ha^^^^^^ 254 and 256. In accordance with the particular illustrated 

access to the Internet through local ISPs 160 and 165. embodiment of the present invention, the VPNUs reside 

Ihe above descnption of an enterprises data coramum- between a site's router and the path to the Internet. It should 

cations configuration according to FIG. 1 illustrates the be understood that this placement ofVPN units in the overall 

disadvantages described in the previous section. These dis- system architecture represents only one placement choice. It 

advantages are eliminated by implementation of the present win be clear from the materials that follow that the key point 

invention as illustrated generally with reference to FIG. 2. In with respect to VPNU placement is that they reside in the 

the enterprise network communication configuration 200 path of data traffic. In many embodiments, it may in fact 

illustrated in FIG. 2, the headquarters 105, first branch 110 prove desirable to situate the VPNU on the LAN side of a * 

and second branch 112 of the organization are illustrated in site's router. As will be described in more detail below, the 
a more detailed logical way then presented in FIG. 1. Thus, 35 vPN units maintain lookup tables for identifying members 

the headquarters 105 is illustrated with three endstations of specific virtual private network groups. 
201, 202 and 203, respectively coupled to communicate data when a data packet is sent between source and destination 

packets over local area network (LAN) 205. Likewise, the addresses that are both members of the same VPN group, the 

branch site 110 is shown havuig a plurality of endstations yPNU will process the data packet from the sending side in 
211, 212 and 213 respectively coupled to communicate data ^ g^ch a way as to ensure that it encrypted, authenticated and 

locally over LAN 215. Finally, the second branch site 112 is optionally compressed. Likewise, the VPNU servicing the 

shown with an illustrative set of computer stations 221, 222 ^^^^ ^^^^^ ^^e destination address is located will detect that 

and 223 connected to communicate over LAN 225. The ^ ^^^^^^ ^^^^^ propagated between members of the same 

customer site 140 is also illustrated m FIG. 2 as comprising yPN group. The receiving VPNU will handle the process of 

of plurality of computers illustrated by 331 and 332 coupled decrypting and authenticating the packet before forwarding 
to communicate over the customcr*s LAN 235. The local toward the destination endstation. In this way, secure data 

area networks utilized for data commumcations within the communications between end users is elfected in a manner 

headquarters, customer and branch sites may adhere to a t^at is transparent to the end users. In the case of remote 

wide variety of network protocols, the most common of clients 150 and 155, the VPNU may be simulated in software 

which are Ethernet and loken Rmg. ^hich operates in conjunction with the communication 

As can be seen in FIG. 2, the dedicated communications software for connecting the remote client to the associated 

lines between the headquarters site 105 and the branch sites local Internet service provider. 

110 and U2 as well as between the headquarters site 105 and jhe functionality of the VPN units will be described with 

the customers site 14(» have been eliminated. Instead, in reference to the following figures beginning with the flow- 
accordance with the present invention data communications 55 chart of BG. 3. When a data packet originates from an 

between members of the organization are intended to be endstation, such as endstation 202 of LAN 205 at site 105, 

carried out over the Internet or other public network space. and its destination is to a remote site, other than the 

For purposes of the present invention, it will be assumed that headquarters site 105, it will initially be treated as an 

it is the widely emerging Internet that will be the medium for ordinary Internet data packet transfer. The packet will pro- 
data packet transfers between members of the organization. 60 ceed from the endstation 202 over the LAN 205 to the 

Each of the LANs for the particular sites illustrated in routing device 240 which will encapsulate the data packet in 

FIG. 2 ultimately interconnect to the Internet 250 through an accordance with the Internet E*rotocol, forming an outbound 

associated routing or gateway device which are identified as IP packet. On its way out of the site, the IP packet will pass 

routers 240, 242, 244 and 246, respectively. It is to be through the associated VPN unit for the site. The flowchart 
understood that data packets conveyed between a various 65 illustrated at FIG, 3 shows the functional operation of a VPN 

sites iUustraied in 200 would traverse, in many cases, a unit for an outbound packet that is received thereby. Ihe 

plurality of additional routing devices on their way between Transmit Packet procedure 300 begins when the outbound 
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data packet is received at the VPNU at step 310. At decision 
box 320, it is determioed whether or not the source and 
destination addresses for the data packet are both members 
of the same VPN group. This determination may be made 
with reference to lookup tables that are maintained by the 
VPN units or reference to other memory mechanisms. This 
step may be thought of as member filtering for data packets 
being transmitted between the particular site and the VPN 
unit which services it. If the source and destination address 
for the data packet are not both members of the same VPN 
group, then at step 330 the packet is forwarded to the 
Internet as ordinary Internet traffic from the site as though 
the VPNU were not involved. In which case, the procedure 
ends at step 335. In one alternative embodiment, it may be 
desirable to discard data traffic that is not destined between 
members of a VPN group rather than forwarding it as 
unsecure traffic. In another alternative embodiment, it may 
be desirable to provide the option to either pass or discard 
non- VPN-group data tratEc. 

If, at decision box 320, the member filter, it is determined 
that both the source and destination addresses for the data 
packet are members of the same VPN group, then the data 
packet is processed at step 340 undergoing various combi- 
nations of compression, encryption and authentication. The 
lookup tables maintained by the VPN unit 250 and all of the 
VPN units, in addition to identifying members of particular 
VPN groups, also identify whether or not data packets 
transferred between members of the particular VPN group 
are to be compressed and if so, what algorithm is to be used 
for compression. Many possible compression algorithms are 
well-known, but in one embodiment of the invention, LZW 
compression is implemented. The lookup table for the VPN 
group of which the source and destination addresses are 
members also identifies the particular encryption algorithm 
to be used for data packets traversing the Internet for that 
VPN group as well as the authentication and key manage- 
ment protocol information to be used thereby. As an alter- 
native to lookup tables, the VPNU may be programmed to 
always use the same algorithms for all VPN groups. 

The particular packet processing algorithms to be used for 
VPN traffic may vary, so long as the lookup tables in both 
the sending and receiving VPN units identify the same 
compression, encryption and authentication rules and are 
capable of implementing and deimplementing them for 
members of the same group. It is to be understood that a 
single VPNU may serve multiple VPN groups and that 
particular addresses may be members of multiple groups. 
Thus, at step 340, when a packet is destined from one 
member of the VPN group to another, the packet is pro- 
cessed according to the compression, encryption and authen- 
tication rules identified in the VPNU tables for that particu- 
lar VPN group. Then, at step 350, the processed packet is 
forwarded toward the destination address over the Internet. 
The procedure of the sending VPN unit then ends at step 
355. 

The receiving VPNU reverses the above processes for 
VPN traffic as illustrated by the flowchart of FIG. 4. The 
Receive Packet procedure 400 begins at step 410 when an 
inbound data packet is received from the Interact at the 
receiving VPN unit. At decision box 420, the inbound data 
packet is examined to determine if the source and destina- 
tion addresses of the data packet are both members of the 
same VPN group. It is assumed that the lookup tables 
maintained by all of the VPN units are both consistent and 
coherent. If the inbound data packet is determined not to be 
VPN traffic, then the packet is passed through and forwarded 
to the receiving site as though it were normal Internet data 
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traffic at step 430. In which case the process ends at step 435. 
In one alternative embodiment, it may be desirable to 
discard incoming data traffic that is not from an identified 
member of a VPN group supported by the VPNU. 

For data packets that are determined to be VPN traffic at 
decision box 420, the VPN unit will process the inbound 
packet to recover the original data packet as it was provided 
from the source cndstation. The lookup table maintained by 
the receiving VPN unit will identify the compression, 
encryption and authentication rules used for the VPN group 
and reconstruct the original IP packet in accordance with 
those rules at step 440. Then, the reconstructed packet will 
be delivered to the site of the destination address at 450 with 
the procedure ending at step 455. 

FIG. 5 illustrates graphically the life cycle of the data 
packet sent between two members of the same VPN group. 
The data packet originates from a source 500 and propagates 
from the sources site through its associated router to gen- 
erate IP data packet 510. The data packet 510 is not intended 
to illustrate all the fields associated with a complete IP data 
packet, but shows the relevant portions for this discussion 
which include the destination address, source address and 
the payload information of the packet. The data packet 510 
is then examined by the VPN unit which determines whether 
the data packet is traffic between members of an identified 
VPN group. T\\G VPN unit 520 processes the packet in 
accordance with the packet processing procedures described 
above with respect to FIG. 3 with the resulting packet being 
illustrated as packet 530. Packet 530 still identifies the 
destination and source addresses of the data packet, but the 
remainder of the packet is encrypted, and optionally com- 
pressed. 

Following processing by the outbound VPNU, the data 
packet is propagated through the Internet to 550 with the 
destination and source information identifying to the asso- 
ciated routers of the Internet the path by which the packet 
should ultimately take to reach its destination. The packet 
emerges from the Internet at the edge of the destination site 
as data packet 540 which is essentially identical to the data 
packet 530. The packet is "deprocessed" by the receiving 
VPN unit 550 which restores the original packet into its form 
560 for delivery to the ultimate destination through the 
receiving site's associated router at destination 570. 

As was described above, the present invention approach 
to virtual private networks supports not only optional com- 
pression of data packets, but encryption and authentication 
techniques as well. One emerging standard for key manage- 
ment in connection with Internet Protocol data transfers with 
authentication is referred to as simple key management for 
Internet Protocol (SKIP) which is described by U.S. Pat. No. 
5,588,060 assigned to Sun Microsystems, Inc. of Mountain 
View, Calif. Authenticated data transfers using SKIP support 
a mode of data transfer referred to as tunnel mode. The 
above described data transfer with respect to FIG. 5 illus- 
trates a transport mode of operation in which the data and 
source addresses are exposed as the data packet traverses the 
Internet. In tunnel mode, an added measure of security may 
be provided by encapsulating the entire data packet in 
another packet which identifies the source and destination 
addresses only for the VPN units. This conceals the ultimate 
source and destination addresses in transit. 

FIG. 6 illustrates the life cycle of a data packet being 
propagated from a source 600 to a destination 670 utilizing 
tunnel mode. In this mode of operation, the data packet 610 
is processed by outbound VPNU 620 which generates a 
resulting packet 630. The resulting packet 630 encrypts and 
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compresses (optionally) not only the data payload of the 
packet, but the destination and source addresses of the 
endstations as well. The encapsulated packet is then pro- 
vided with an additional header that identifies that the source 
of the packet is the outbound VPNU 620 and that the 5 
destination is the inbound VPNU 650. Thus, the packet 640 
which emerges from the Internet is identical to the packet 
630 with respect to its source and address information and 
encapsulated payload. The packet is decomposed by the 
inbound VPNU 650 to reconstruct the original data packet at ao 
660 for delivery to the destination 670. 

The overall architecture of the present invention is robust. 
It allows end users the convenience of proprietary data 
communications to take place over a public network space 
such as the Internet. The architecture of the present inven- ^5 
tion also allows a wide variety of compression, encryption 
and authentication technologies to be implemented, so long 
as the VPN units at each end of the transaction support the 
associated protocols. The present invention is also capable 
of working in concert with traditional Internet security 20 
mechanisms such as corporate firewalls. A firewall might 
operate in series with the VPN unit at a given site, or, 
intelligently be configured in a single box with the VPN unit 
to provide parallel firewall and VPN unit security functions. 

There has thus been described a protocol and architecture 
for implementing virtual private networks for using a public 
network space for secure private network data communica- 
tions. Although the present invention has been described 
with respect to certain exemplary and implemented 
embodiments, it should be understood that those of ordinary 
skill in the art will readily appreciate various alternatives to 
the present invention. Accordingly, the spirit and scope of 
the present invention should be measured by the terms of the 
claims which follow. 

What is claimed is: 

1. A method for sending a data packet from a first member 
of a virtual private network to a second member of said 
virtual private network comprising the steps of: 

receiving said data packet enroute to said second member; 

determining that said data packet is being sent between 
members of said virtual private network; 

determining the packet manipulation rules for packets 
sent between members of said virtual private network; 

forming a secure data packet by executing said packet 
manipulation rules on said data packet; and 

forwarding said secure data packet to said second member 
of said virtual private network; 

wherein said step of determining the packet manipulation 
rules comprises the step of accessing a lookup table that 
maintains information identifying compression, 
encryption and authentication algorithms to be uliliited 
for data packets sent between members of the virtual 
private network; 


30 


wherein said step of forming a secure data packet com- 
prises the steps of encrypting at least a payload portion 
of the data packet according to the identified encryption 
algorithm; and providing authentication information 
for the data packet according to the identified authen- 
tication algorithm; and 

wherein said step of forming a secure data packet further 
comprises the step of compressing said payload portion 
of the data packet according to the compression algo- 
rithm identified. 

2. The method according to claim 1, wherein said com- 
pressing step occurs prior to said encrypting step. 

3. A method for securely exchanging data packets by 
members of a virtual private network comprising the steps 
of: 

generating a first data packet which includes a source 
address, a destination address and a data payload por- 
tion; 

transmitting said first data packet toward the destination 
address; 

intercepting said first data packet enroute to said destina- 
tion address; 

verifying that said first data packet is being sent between 
members of a virtual private network group; 

determining the packet manipulation rules for packets 
sent between members of said virtual private network 
group; 

generating a second data packet by performing said 
packet manipulation rules on said first data packet; 

forwarding said second data packet toward said destina- 
tion address; 

receiving said second data packet; 

verifying that said second data packet is being sent 
between members of said virtual private network 
group; 

determining the packet manipulation rules for packets 
sent between members of said virtual private network 
group; 

generating a third packet by reversing the identified 
packet manipulation rules, said third packet including 
said data payload portion; and 

delivering said third data packet to said destination 
address. 

4. The method according to claim 3 wherein said second 
packet conceals said source and destination addresses. 

5. The method according to claim 3 wherein said step of 
generating a third packet includes the step of recovering said 
source and destination addresses for inclusion in said third 
packet. 
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